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REPORT OF INSPECTION 


CIA INFORMATION SECURITY PROGRAM 


GENERAL 

A. Authority: Executive Order 12065, Section 5-202(a) 
and (h) soe ne tS et 

B. Date” August land 2, 1979 

a eee 

Cc. ISOO Representatives: Harold Mason and John Cornett, 
Program Analysts. 

D. Purpose: To make an initial evaluation of agency 
actions to implement Executive Order 12065 and 
ISOO Directive No. l. 

Big Prinicipal Contacts: See enclosure 1 

F. Method: Discussion with agency personnel and review 
of CIA classified holdings in accordance with proce- 
dures in enclosure 2. 

FINDINGS 

A. GENERAL RESPONSIBILITIES: 


One of the basic measures of compliance with the 


Order and Directive is the degree to which an 


-agency has fulfilled the general responsibilities, 


applicable to all agencies which originate or 
handle classified information, outlined in Section 
5-4 of the Order. A summary of actions by the 

CIA staff in this regard follows. 


1. (5-401/402). An unclassified agency information 
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security regulation and unclassified guidelines 
for systematic declassification review had been 
developed and issued. They had not been published 
in the Federal Register. Although the guidelines 
had been approved by ISOO, the regulation had not 
(i.e., IS0O0 had: recommended changes, but the 
changes had not been implemented). 

2. (5-403). Four classified classification guides, 
with a total distribution of 3,431 copies, had 
been published. The guides were in detail and 
in the format prescribed by ISOO Directive No. 

1, Para. II D. 

3. (5-404(a) and (b)). The Deputy Director for 
Administration had been designated to oversee 
the agency program and to chair an agency 
committee to act on suggestions and compliants 
concerning the agency's inrormation security 
program. 

4. (5-404(c)). There was in being a process for 
deciding appeals from.denials of mandatory 
declassification review requests. 

a (5-404(d)). There had been aggressive action 
to familiarize all agency personnel with the 
Order and Directive. Initial orientation, 
consisting of an excellent tape-slide presenta- 


tion with a question/answer period, was presented 
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in 52 sessions prior to the effective date of 
the Order. In addition, information security 
packages have been included in various internal 
agency training programs. 

6,  (5-404(e)). See II A 1 above. 

TV (5-404(£)). The CIA mission requires that all 
employees be subjects of a favorable full field 
background investigation and a polygraph examin- 
ation. Although ctearances are granted ona 
"blanket" basis, access to specific information 
is controlled, primarily through the Sensitive 
Compartmented Intelligence Information Programs. 

B. (5-404(g)). Safeguarding practices are systemat- 
ically reviewed with a view toward simplicity 
and improvement. For example, a recent review 
of problems associated with protecting the large 
number of documents held by the agency resulted 
in a "Sensitive Document Control Program". As - 
a result of this certain documents, selected at 
operating official level, are stored separately 
and must be personnally accounted for by 


designated officials. 


B. CLASSIFICATION 
l. The total number of CIA personnel who posses 
original classification authority is 1629 


(TS-430, S-1169 and C-21) -- a decrease of 74 
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from the number reported in mid-1978. Positions 


to which original classification authority is 
delegated are designated by memorandum. Addi- 
tionally, incgbments of these positions are 
subjects of a formal personnel action designating 
them as an authorized classifier. A listing of 
all sathorized classifiers, by name, title, 
employee number, and classification level is 
published periodically. The list is classified 
Secret because of the association of names with 
employee numbers for those personnel under cover. 
The ISOO representatives were not authorized to 
review this listing as a whole, but were allowed 
to review specific names of those personnel not 
under cover. In an effort to control derivative 
classification, a similar system is used to 
designate those aeeeens who are authorized to 
apply derivative markings. 

2. A total of approximately 150 agency originated 
classified documents of all classification levels, 
collateral and Sensitive Compartmented Intelligence 
Information (SCII), were reviewed in the various 
offices visited. In no case did a document appear 
to be over-classified. Classification markings 
were proper except that in a very few cases 


documents were not portion marked. In most cases 
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observed, documents were marked as derivatively 
classified with a CIA Classification Guide as 
the source. (Source citations were checked 
against guides and in all cases were found to 
be appropriate). Most documents were marked 
for declassification review at the 20 year mark; 
those originally classified almost exclusively 
used "sources and methods" as the basis for 
extension beyond 6 years. Only a few observed 
were marked for automatic declassification at 
the 6 year mark. Some area studies and personality 


studies were marked with a review date of 6 years. 


Cc. DECLASSIFICATION 

a Systematic Review: The agency has given special 
attention to systematic review of records for 
declassification: there ig operating under the 
Chief, Information Security Staff, a Classification 
Review Division with 30 full-time agency personnel, 
15 part-time annuitants (total authorization is 
39 full time personnel) and a budget of $1.2 
million for FY 80. Material for systematic review 
comes from present agency holdings -of approximately 
45 million pages plus an equal amount estimated to 
be created in the next ten years. There was no 
estimate regarding how much of this (90 million - 


pages) will be designated as permanent records and 
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thus subject to review under E. 0. 12065. 
Although review of 200 cu. ft. of predecessor 
agency (WWII OSS) records resulted in over 90% 
being declassified and accessioned to NARS, 
review of post-WWII records has so far resulted 
in retention of classification in approximately 
90% of the cases. (One reason for this high 
percentage is that CIA files are normally cut 

off of project, rather than a given date; 
accordingly some material being reviewed is 
relatively current). Although a low percentage 
of documents are declassified, a considerable 
number are downgraded to Confidential, thus 
reducing storage and handling requirements. 
Records of decisions to continue classification 
are computerized, facilitating the administrative 
action of certifying continued classification by 
the Director as well as retrieval from file. 
After review, documents, including those declass-~- 
ified, are returned to the agency records storage 
area. 

Mandatory Review: All requests for release of 
information, whether submitted under FOIA, 
Privacy Act, or E. O. 12065, are handled by the 
Information and Privacy Division (with a staff 


of 23) on a “first in-first out" basis regardless 
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of the time limits imposed by statute.or Executive 


Order. The procedure established for processing 

a request is: 

Ls Determine if the request meets the 
requirements. ; 

2% Notify the requester that. the request has 
Been’ paceieed and is being processed. 

ee Send the request to the Directorate with 
subject matter interest. 

4. neTiog sin ene request, if not received from 
the Directorate, within an established 
period of time. 

a After the review has been completed, the 
agency sends a letter to the requester 
along with releaseable information. If 
the request is denied, the requester is 
advised of his Hane: 

It is estimated that it takes 116 staff years annually to 
process requests. The total backlog is ccauraerenie esas 
the Division Chief estimated that even if no new requests 
were received it would take 18-24 months .to process 
requests presently on hand. Time limits for processing 
requests under E. O. 12065 are not being met; in fact, 
letters acknowledging receipt of a requests frankly state 
this and advise the requester of his right to appeal on 


that basis. Appeals are handled administratively in the 
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same manner as requests and the same problems apply. There 

appears to be little that can be done to speed the process, 

given the requirement for detailed review and coordination 

to protect intelligence sources and methods. 

dD. SAFEGUARDING. The CIA is in compliance with all 

<-—- safeguarding procedures established under the Order. 
They have Top Secret control offices in all Director- 
ates and conduct inventory of Top Secret documents on 
an annual basis. Top Secret, codeword and compartmented 
information is stored in security containers located 
within vaulted areas and access is restricted to 
personnel on a need-to-know basis. They have also 
adopted a sensitive document control program with’ 
strict accountability for particularly sensitive 


documents. 


KUDOS 

A The agency Information Security Program Handbook 
ME, although requiring some changes and 
additions in the opinion of IS00, is an excellent 
publication and a credit to its authors. 

B. Personnel of the agency with whom the program was 
discussed indicated an in-depth knowledge of both 
the mechanics and the philosophy of the information 
security program. 

Cs The use of Agency Classification Guides was evident 


in all components where files were reviewed. 
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IV. CONCLUSIONS 
The Central Intelligence Agency appears dedicated in their 
desire to fully comply with the provisions of the Order. 
Officials interviewed were thoroughly knowledgeable with 
the Order and implementing directive, and sincere is their 
desire to adhere to. the information security program. 
Me RECOMMENDATIONS 
Based upon findings above, IS00 recommends that CIA: 
Ls Expedite publication of their agency regulations 
in the Federal Register. 
2. Expedite publication of their systematic review 
guidelines in the Federal Register. 
cm Provide a copy of the ISOO report to the Chief, 


Information Services Staff. 


Enclosures: 
Ly Review Itinerary . 
pe CIA procedure for access to classified information 


by ISOO personnel 


DRAFTER: HMason/JCornett/yh 
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